Your company stores customer_orders in BigQuery and feeds several Looker Studio dashboards. Internal analysts need unrestricted access, but a third-party call-center vendor should:
see only the rows where region_code equals their assigned region,
see a masked version of the credit_card_number column, and
have no direct IAM access to the underlying table or its storage objects. Which approach meets the security requirements with the least ongoing maintenance effort?
Grant the vendor the BigQuery Data Viewer role on the dataset, attach a dynamic masking policy to credit_card_number, and add a row-level security policy on region_code.
Build a materialized view that filters by region_code and hashes credit_card_number, rely on automatic refresh, and grant the vendor access only to this materialized view.
Tag credit_card_number with a masking policy using column-level security, define a row-level access policy on region_code, and publish the dataset as a listing in Analytics Hub for the vendor to subscribe to.
Create an authorized view that filters on region_code and masks credit_card_number, then share only the view with the vendor.
Publishing the dataset through Analytics Hub creates a linked dataset in the vendor's project so you do not need to grant dataset or table IAM roles. Column-level security policy tags can apply a dynamic masking policy to credit_card_number, while a row-level access policy on region_code filters rows at query time. These policies continue to work transparently through the linked dataset and Looker Studio, eliminating the need to create and maintain separate views or other objects.
Granting the vendor Data Viewer on the dataset violates the requirement to avoid direct table permissions. An authorized view could work but would require building and maintaining a separate view for each vendor and updating the SQL to mask the column. A materialized view would have similar maintenance overhead and you would still need a separate object per vendor, even though BigQuery automatically refreshes materialized views.
Ask Bash
Bash is our AI bot, trained to help you pass your exam. AI Generated Content may display inaccurate information, always double-check anything important.
What is a dynamic masking policy in BigQuery?
Open an interactive chat with Bash
How does row-level security work in BigQuery?
Open an interactive chat with Bash
What is the purpose of Analytics Hub in BigQuery?
Open an interactive chat with Bash
What is Analytics Hub in GCP?
Open an interactive chat with Bash
How does column-level security with dynamic masking work?
Open an interactive chat with Bash
What is row-level security in BigQuery?
Open an interactive chat with Bash
GCP Professional Data Engineer
Preparing and using data for analysis
Your Score:
Report Issue
Bash, the Crucial Exams Chat Bot
AI Bot
Loading...
Loading...
Loading...
Pass with Confidence.
IT & Cybersecurity Package
You have hit the limits of our free tier, become a Premium Member today for unlimited access.
Military, Healthcare worker, Gov. employee or Teacher? See if you qualify for a Community Discount.
Monthly
$19.99 $11.99
$11.99/mo
Billed monthly, Cancel any time.
$19.99 after promotion ends
3 Month Pass
$44.99 $26.99
$8.99/mo
One time purchase of $26.99, Does not auto-renew.
$44.99 after promotion ends
Save $18!
MOST POPULAR
Annual Pass
$119.99 $71.99
$5.99/mo
One time purchase of $71.99, Does not auto-renew.
$119.99 after promotion ends
Save $48!
BEST DEAL
Lifetime Pass
$189.99 $113.99
One time purchase, Good for life.
Save $76!
What You Get
All IT & Cybersecurity Package plans include the following perks and exams .